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The use of quantum bits (qubits) in cryptography holds the promise of secure cryptographic 
quantum key distribution schemes. Unfortunately, the implemented schemes can be totally insecure. 
We provide a thorough investigation of security issues for practical quantum key distribution, taking 
into account channel losses, a realistic detection process, and modifications of the "qubits" sent from 
the sender to the receiver. We first show that even quantum key distribution with perfect qubits 
cannot be achieved over long distances when fixed channel losses and fixed dark count errors are taken 
into account. Then we show that existing experimental schemes (based on "weak-pulse") are usually 
totally insecure. Finally we show that parametric downconversion offers enhanced performance 
compared to its weak coherent pulse counterpart. 
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Quantum information theory suggests the possibility 
of accomplishing tasks which are beyond the capability 
of classical computer science, such as information-secure 
cryptographic key distribution . The lack of security 
proofs for standard (secret- and public-) key distribu- 
tion schemes, and the insecurity of the strongest classical 
schemes against "quantum attacks" ||^, emphasizes the 
need for information-secure key distribution. Whereas 
the security of idealized quantum key distribution (qkd) 
schemes has been investigated against very sophisticated 
collective and joint attacks (e.g., [§j|]), the experimental 
QKD schemes have been proven secure against the simple 
individual attack only recently |^ (via the application of 
ideas presented here). 

In the four-state scheme usually referred to as 
Bennett-Brassard-84 (BB84), the sender (Alice) and the 
receiver (Bob) use two conjugate bases (say, the recti- 
linear basis, and the diagonal basis, x) for the po- 
larization of single photons. In basis -I- they use the 
two orthogonal basis states |0+) and |1+) to represent 
"0" and "1" respectively. In basis x they use the two 
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orthogonal basis states |0x 

= (1/V2)[|0+) - |1+)] to represent "0" and "1". 
The basis is revealed later on via an unjammable and in- 
secure classical channel. The signals where Bob used the 
same basis as Alice form the sifted key on which Bob can 
decode the bit value. The remaining signals are being 
discarded. Finally, they test a few bits to estimate the 
error-rate, and if the test passes (the tested error-rate 
is less than some pre-agreed threshold), they use error- 
correction and privacy amplification to obtain a poten- 
tially secure final key [0J|] . 

The security of that scheme, which assumes a source 
of perfect qubits as well as losses and errors which are 
bounded by some small threshold, has been investigated 



in various works. Very simple attacks already render re- 
alistic QKD impossible, as we show here. 

The experiments are usually based on weak coherent 
pulses (wcp) as signal states with a low probability of 
containing more than one photon [^|J^. Initial security 
analysis of such weak-pulse schemes were done [0,0, 
and evidence of some potentially severe security prob- 
lems (which do not exist for the idealized schemes) were 
shown 101,0. We investigate such limitations much fur- 
ther to show insecurity of various existing setups, and to 
provide several explicit limits on experimental QKD. 

First, we show that QKD can be totally impossible 
for given losses and detector dark-counts, even with the 
assumption of a perfect source. Second we show that 
QKD can be totally insecure even with the assumption of 
perfect detection, if considering losses and multi-photon 
states. In a combination we conclude that, for any given 
source and detection units, secure QKD schemes cannot 
be implemented to arbitrarily large distance. We analyse 
"weak pulse" schemes and show that the implemented 
schemes are insecure. Finally we prove the advantage of 
a better source such as parametric downconversion, and 
we show that it presents characteristics very similar to 
the semi-idealized schemes where perfect qubits are as- 
sumed. 

The effect of losses is that the signals will arrive only 
with a probability F at Bob's site where they will lead 
to a detection in Bob's detectors with a probability yye 
(detection efficiency). This leads to an expected prob- 
ability of detected signals given by Poxp'^' = F?]b. The 
transmission efficiency F is connected to the absorption 
coefficient f3 of the fibre, the length I of the fibre and a 
distance-independent constant loss in optical components 
c, via the relation 
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which, for given (3 and c, gives a one-to-one relation be- 
tween distance and transmission efficiency. Bob's de- 
tector is also characterized by a dark count probability 
Poxp'^ = ds- The dark counts are due to thermal fluctua- 
tions in the detector, stray counts, etc. In practice, ds is 
inferred as counts per time slot in the absence of the real 
signal. The total expected probability of detection events 
is therefore given by Poxp = ptip""^ + Pexf - Ptip'^^vt^p 
and neglecting the coincidence term (all involved proba- 
bilities are small) we get 
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The two contributions to the detected signals con- 
tribute differently to the error rate. The signal con- 
tributes an error with a probability pl'^nai ^ pgj. (arriving) 
signal, due to misalignment or polarization diffusion. The 
corresponding error probability per time slot is given by 
gsignai ^ psignaipsignai^ Qn thc Other hand, a dark count 

contributes an error with probability = 1/2, hence 
the corresponding contribution to thc error rate per time 
slot is given by e'^^'''^ — p'^^^{l/2). The total error rate 
per time slot, e, is e « p^'J^p'^'pg^"''' -t- ^Poxp"^; ignoring 
the coincidence term. The contribution to the error rate 
per sifted key bit is then given by pe — e/pcxp- Let us 
consider the dark counts (in the absence of any signal) 
to be a fixed parameter of an experimental setup. Thus, 
the dark count contribution to the error-rate becomes 
dominant when Pe'^p''' is decreased, that is, when the 
distance is increased. In the following, we use the bound 
e >« ^Pexp'^i to obtain limits on the distance of secure 

QKD. 

If the error rate per sifted key bit Pe exceeds 1 /4 and 
we (conservatively) assume that the eavesdropper has full 
control on the errors, there is no way to create a secure 
key. With such an allowed error-rate, a simple inter- 
cept/resend attack causes Bob and Eve to share (approx- 
imately) half of Alice's bits and to know nothing about 
the other half; hence. Bob does not possess information 
which is unavailable to Eve, and no secret key can be 
distilled. Using pe = e/pexp and Pe < -j, we obtain the 
necessary condition for secure QKD 
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and using Eq. g and e > p'^^^/2, we finally obtain 

signal _j_ dark ^ Oj,dark 
^cxp ^cxp — ^cxp ■ 

For ideal single-photon states we therefore obtain (with 
p'^^sn^^ = Fr]B andp^^;"^ = dg) the bound FrjB+de > 2dB 
which finally gives Ftib > • We see that even for ideal 
single-photon sources (SP), the existence of a dark count 
rate leads to a minimum transmission rate 
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below which QKD cannot be securely implemented. [Even 
for perfect detection efficiency (rjB = 1) we get a bound 
F > Fgp — de-] These bounds correspond, according to 
Eq. |l|, to a maximal covered distance. 

In a quantum optical implementation single-photon 
states would be ideally suited for quantum key distribu- 
tion. However, such states have not yet been practically 
implemented for QKD, although proposals exist and ex- 
periments have been performed to generate such states. 
The signals produced in the experiments usually contain 
zero, one, or more than one photon in the same polar- 
ization (with probabilities po Pi, and Pmuiti respectively.) 
The multi-photon part of the signals leads to a severe se- 
curity hole, as has been anticipated earlier ]7|, [lO| , |lT| . Let 
us present the photon number splitting (PNS) attack, 
which is a modification of an attack suggested in |l^] 
(the attack of [|lO| was disputed in |l^ so the modifica- 
tion is necessary): Eve deterministically splits one pho- 
ton off each multi-photon signal. To do so, she projects 
thc state onto subspaces characterised by n, which is the 
total photon number, which can be measurement via a 
quantum nondcmolition (QND) measurement. The pro- 
jection into these subspaces does not modify the polar- 
ization of the photons. Then she performs a polarization- 
preserving splitting operation, for example, by an interac- 
tion described by a Jaynes-Cummings Hamiltonian p^ ] 
or an active arrangement of beamsplitters combined with 
further QND measurements. She keeps one photon and 
sends the other (n — 1) photons to Bob. We assume (con- 
servatively) that Bob's detector cannot resolve the pho- 
ton number of arriving signals. When receiving the data 
regarding the basis. Eve measures her photon and obtains 
full information. Each signal containing more than one 
photon in this way will yield its complete information to 
an eavesdropper. 

The situation becomes worse in the presence of loss, in 
which case the eavesdropper can replace the lossy chan- 
nel by a perfect quantum channel and forward to Bob 
only a chosen signal. This suppression is controlled such 
that Bob will find precisely the number of signals as ex- 
pected given the characterisation of the lossy channel. If 
there is a strong contribution by multi-photon signals, 
then Eve can use only those signals and suppress the 
single-photon signals completely, to obtain full informa- 
tion on the transmitted bits. Even for the case of perfect 
detectors in Bob's hands (773 = 1 and dp = 0) the above 
argument leads to a neccesary condition for security 
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If this condition is violated. Eve gets full information 
without inducing any errors. For given probabilities pi 
and Pmuiti (and given transmission rate F), a bound on 
thc distance is obtained, even for perfect detection. 
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We assume that Eve has control on rj^ (which is a rea- 
sonable assumption, but somewhat conservative); also we 
use the standard conservative assumption that all errors 
are controlled by Eve (including dark counts). Without 
these assumptions, one gets much better security but one 
that is more difficult to justify properly. 

Whereas this work concentrates mainly on insecurity 
results, we also obtained here a result important for pos- 
itive security proofs: For a general source (emitting into 
the four BB84 polarization modes) analyzing all possible 
attacks in a large Hilbert space (the Fock space) is a very 
difficult task. However, if Alice can dephase the states to 
create a mixture of "number states" (in the chosen BB84 
polarization state) the transmitted signals are replaced 
by mixed states. Then, these states do not change at all 
when Eve performs the QND part of the PNS attack! [A 
QND measurement on the total photon number] . There- 
fore Eve can start her attack by a PNS attack without 
loss of generality, and hence, the PNS attack becomes 
the optimal attack. Fortunately, in realistic scenarios 
the dephasing happens automatically (or with little help 
of Alice) Following this observation, a complete positive 
security proof against all individual particle attacks has 
been subsequently given More sophisticated collec- 
tive and joint attacks can also be restricted to the PNS 
attacks. 

Let us return to the necessary condition for security. 
We can combine the idea of the two criteria above, (^, 
to a single, stronger one, given by 
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This criterion stems from the scenario that Eve splits 
all multi-photon signals while she eavesdrops on some of 
the single-photon signals. We can think of the key as of 
consisting of two parts: an error free part steming from 
multi-photon signals, and a part with errors coming from 
single-photon signals. The error rate in the second key 
has therfore to obey the same inequality as used in cri- 
terion (H). 

We now explore the consequences of the necessary con- 
dition for security for two practical signal sources. These 
are the weak coherent pulses and the signals generated 
by parametric downconversion. 

In QKD experiments the signal states are, typically, 
weak coherent pulses containing, on average, much less 
than one photon. The information is contained in polar- 
ization mode of the WCP. 

Coherent states |a) — e"'"' ^„ a^/^/n\\n) with am- 
plitude a (chosen to be real) give a photon number dis- 
tribution (per pulse [T^) p„ = e"" (Q!^)"/n!. Since we 
analyze PNS attack only, it doesn't matter if the realis- 
tic "coherent state" is a mixture of number states. Thus, 
Z]r=i exp(-i^ryBa^) (F?7Ba^)" /n\ and Pmuiti = 

and 
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the error rate e = ^de we find for <C 1 (by expanding 
to 4th oder in a and neglecting the term proportional to 
i^^Tyla'*) the result 
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Obviously, there is an optimal choice for c? which leads 
to the bound 
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, exp(-a2) ln\. With pexp ~ P^'#p""' 



To illustrate this example we insert numbers taken from 
the experiment performed at 1.3/im by Maraud and 
Townsend ll3|. We use r/g 0.11, = 10"'^ Then 
the criterion gives F > 0.041. With a constant loss of 
5 dB and a fiber loss at 0.38 dB/km, this is equivalent, 
according to Eq. (|l|), to a maximum distance of 24 km 
at an average (much lower than standard) photon num- 
ber of 4.5 X 10"'^. As we used approximations in the 
evaluation of Eq. (^, the achievable distance could differ 
slightly from this values either way. 

With c? — 0.1, as in the literature, secure transmission 
to any distance is impossible, according to our conditions. 
In that case, even if we assume rye to be out of control 
of the eavesdropper, we find that secure transmission to 
distance of 21 km is impossible. Frequently we find even 
higher average photon numbers in the literature. 

The WCP scheme seems to be prone to difficulties due 
to the high probability of signals carrying no photons (the 
vacuum contribution). This can be overcome in part by 
the use of parametric downconversion (PDC) scheme, or 
other single photon sources. PDC has been used before 
for QKD We use a different formulation which en- 

able us to analyse the advantages and limits of the PDC 
method relative to the WCP one. 

To approximate a single-photon state we use a PDC 
process where we create the state in an output mode de- 
scribed by photon creation operator a) conditioned on 
the detection of a photon in another mode described 
by fot^ If we neglect dispersion, then the output of 
the PDC process is described [|l^ on the two modes 
with creation operators and 6^ using the operator 
Tahix) = exp{ix(at6t _ ah)), with x < 1, as \^ah) = 
Ta6(x)|0, 0) « (1 - xV2 + ^X')|0, 0) + (x - |x')|l, 1) + 
- ix*)|2,2) -|-x^|3,3) -Hx'*|4,4). The states in this 
description are states of photon flux, and we assume the 
addition of choppers in order to deal with photon num- 
bers per pulse as in the wCP case. 

If we had an ideal detector resolving photon num- 
bers (that is, a perfect counter) then we could cre- 
ate a perfect single-photon state by using the state in 
mode a conditioned on the detection of precisely one 
photon in the pulse in mode 6. However, realistic de- 
tectors useful for this task have a single-photon detec- 
tion efficiency far from unity and can resolve the pho- 
ton number only at high cost, if at all. Therefore, we 
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assume a detection model which is described by a fi- 
nite detection efficiency rjA and gives only two possible 
outcomes: either it is not triggered or it is triggered, 
thereby showing that at least one photon was present. 
The detector may experiences a dark count rate at 
per time slot. The two POVM elements describing this 
kind of detector can be approximated for our purpose 
by Eo = [1- dA)|0)(0| + E,T=i(l - ^A)"|n)(n| and 
Sciick = rfA|0)(0| + Er=i(l - (1 - VAr)\n)(n\. The re- 
duced density matrix for the output signal in mode b 
conditioned on a click of the detector monitoring mode a 
is then given by 
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p= -Trfc[|*,b>(*a6|Sclick] 
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with the normalization constant N. To create the four 
signal states we rotate the polarization of the signal, for 
example using a beam-splitter and a phase shifter. Note 
that a mixture of Fock states is created by the detection 
process, so that the PNS attack is optimal for Eve. 

After some calculation following the corresponding cal- 
culation in the WCP case, the necessary condition for se- 
curity (H) takes for the signal state (||) the form 
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since we assume de ^ 1 and ^ 1 and neglect terms 
going as x*; (^bc^A; and x^^b- The first error term is due 
to coincidence of dark counts, the second error term is 
due to coincidence of a photon loss and a dark count at 
Bob's site; the third term is the effect of multi photon 
signal (signals that leak full information to the eaves- 
dropper). As we did in the wCP case, we optimize this 
expression to find the criterion 
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If we now assume that Alice and Bob use the same de- 
tectors as in the wCP case with the numbers provided 
by ||l3| we obtain FpDc > 8.4 x 10^^ corresponding via 
Eq. (|l ) to a length of 68 km. 

Since we can use down-conversion set-ups which give 
photon pairs with different wavelength, we can use 
sources so that one photon has the right wavelength for 
transmission over long distances, e.g. 1.3 /xm, while the 
other photon has a frequency which makes it easier to 
use efficient detectors [Q. In the limit of Alice using 
perfect detectors (but not perfect counters) {rjA = 1 and 
dA = 0), we obtain 
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as for the single-photon source, leading to a maximal 
distance of 93 km. This optimal distance might also be 



achievable using new single-photon sources of the type 
suggested in p7| ]. 

We have shown a necessary condition for secure QKD 
which uses currently experimental implementations. We 
find that secure QKD might be achieved with the pre- 
sented experiments using wCP if one would use appropri- 
ate parameters for the expected photon number, which 
are considerably lower than those used today. With cur- 
rent parameters, it seems that all current experiments 
cannot be proven secure. The distance which can be cov- 
ered by QKD is mainly limited by the fiber loss, but wCP 
schemes might be totally insecure even to zero distance 
(in several of the existing experiments), due to imperfect 
detection. The distance can be increased by the use of 
parametric downconversion as a signal source, but even 
in this case the fundamental limitation of the range per- 
sists, and a radical reduction of /3 or of the dark counts 
is required in order to increase the distance to thousands 
of kilometers. 

The use of quantum repeaters (based on quantum 
error-correction or entanglement purification) in the far 
future, can yield secure transmission to any distance, and 
the security is not altered even if the repeaters are con- 
trolled by Eve 
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